- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 13 Jun 2012 21:27:18 +0000 (UTC)
- To: whatwg@whatwg.org
On Wed, 25 Apr 2012, Tyler Larson wrote: > > While working with the canvas tag when you want to edit pixel data > within an image loaded from another server you need to have these images > served from a web server with cross origin resource sharing headers. > http://www.w3.org/TR/cors/ > > This means every web server around the internet will need to be > reconfigured to output these headers for each asset they want to give > access to. As you can see from threads like this > https://forums.aws.amazon.com/thread.jspa?threadID=34281 host don't want > to change the way they serve files. Reconfiguring most web servers is > out of the question for a majority of situations. This provides a competitive environment where hosting providers can cater to authors who need CORS headers. > The flash player has similar security concerns, you can not load an > image from another server and edit its pixel information without a > crossdomain.xml file. This system has been in place so long that most > companies have these files already in place and are usually giving > access to all assets on their servers. > > http://www.google.com/crossdomain.xml > http://www.apple.com/crossdomain.xml > http://www.yahoo.com/crossdomain.xml > http://www.adobe.com/crossdomain.xml Given the number of security problems this has caused, I do not think we should go down this route. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 13 June 2012 21:27:59 UTC